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AMENDMENTS TO THE CLAIMS 
Please amend claims 1, 3 - 7, 9, 1 1, 13 - 19. Please cancel claims 10 and 20. 

1 . (Currently Amended) A machine-implemented method for managing access to data, 
the method comprising the steps of: 
detecting that a database command is issued; 

wherein said database command requires access to at least one column in a table; 
invoking a policy function which database metadata associates with at least one 

column in a table; 
receiving an expression returned by invoking said policy function; 
rewriting said database command by creating a modified database commands-based 

on th e databas e command that incorporates said expression ; 
wherein the modified database command specifies , based on the expression, whether 

to mask a value of the at least one column by returning a mask of the value 

instead of the value; and 
executing said modified database command. 



2. (Original) The method of claim 1 , 

wherein said database command requests at least two values located in at least two 
columns; 

wherein each of the two values are located in a different one of the at least two 
columns; and 

wherein the step of executing the modified database command includes at least 
returning at least one of the at least two values, and 

returning a masked value instead of at least a second of the at least two values. 
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3. (Currently Amended) The method of claim 1, wherein the modifi e d 
databa se command includes at least expression is 

a condition expression r e turned by a policy function . 

4. (Currently Amended) The method of claim 1, wherein the masked value 
is returned for rows 

that are retrieved for the database command issued, 
that do not satisfy the condition, and 
to which access privileges are granted. 

5. (Currently Amended) The method of claim 1, further comprising: 
sterin gwherein said database metadata tha^associates a list of one or more columns 

with a policy used for controlling access to the one or more columns; and 
wherein the step of rewriting is performed if a match is found between the at least one 
column to which the database command requires access and the list of one or 
more columns. 

6. (Currently Amended) The method of claim 1 , further comprisin g wherein : 
steen gsaid database metadata that-associates a list of one or more columns with a 

policy used for controlling access to the one or more columns; and 
wh e r e in the step of rewriting said database command by creatin g a modified database 
command is not performed if a match is not found between the list of one or 
more columns and the at least one column to which the database command 
requires access. 

7. (Currently Amended) The method of claim 1, further comprising: 
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creating athe policy function that returns a condition expression; 

wherein the step of creating the modified database command includes incorporating 

the condition expression and the database command into the modified 

database command. 



8. (Original) The method of claim 7, further comprising: 

creating a policy referencing the policy function and specifying trigger columns that 
trigger implementing the policy. 



9. (Currently Amended) The method of claim 1 , further comprising registering a the 

policy function with a database server, wherein the policy function returns a condition 
expression and the modified database command is based on the condition expression. 



10. (Cancelled) 

1 1 . (Currently Amended) A machine-readable medium carrying one or more sequences 
of instructions, which when executed by one or more processors, causes the one or 
more processors to perform a method comprising the steps of: 

detecting that a database command is issued; 

wherein said database command requires access to at least one column in a table; 
invoking a policy function which database metadata associates with at least one 

column in a table: 
receiving an expression returned by invoking said policy function; 
rewriting said database command by creating a modified database commands-based 

on th e databa s e command that incorporates said expression ; 
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wherein the modified database command specifies , based on the expression, whether 
to mask a value of the at least one column by returning a mask of the value 
instead of the value; and 

executing said modified database command. 

12. (Original) The machine readable medium of claim 1 , 

wherein said database command requests at least two values located in at least two 
columns; 

wherein each of the two values are located in a different one of the at least two 
columns; and 

wherein the step of executing the modified database command includes at least 
returning at least one of the at least two values, and 

returning a masked value instead of at least a second of the at least two values. 

1 3 . (Currently Amended) The machine-readable medium of claim 1 , 
wherein the modified databas e command include s at least expression is a 
condition expression r e turned by a policy function . 

14. (Currently Amended) The machine-readable medium of claim 1, wherein the masked 
value is returned for rows 

that are retrieved for the database command issued, 
that do not satisfy the condition, and 
to which access privileges are granted. 

1 5 . (Currently Amended) The machine-readable medium of claim 1 , 
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wherein the m e thod furth e r compriGOG: storin g said database metadata tha^associates a 

list of one or more columns with a policy used for controlling access to the 

one or more columns; and 
wherein the step of rewriting is performed if a match is found between the at least one 

column to which the database command requires access and the list of one or 

more columns. 

16. (Currently Amended) The machine-readable medium of claim 1, wherein the m e thod 
further comprises : 

stefffi jgsaid database metadata that-associates a list of one or more columns with a 
policy used for controlling access to the one or more columns; and 

wh e r e in the step of rewriting said database command by creatin g a modified database 
command is not performed if a match is not found between the list of one or 
more columns and the at least one column to which the database command 
requires access. 

1 7. (Currently Amended) The machine-readable medium of claim 1 , wherein the 
me&ed steps further compris e s: comprise 

creating athe policy function that returns a condition expression; 

wherein the step of creating the modified database command includes incorporating 

the condition expression and the database command into the modified 

database command. 

18. (Currently Amended) The machine-readable medium of claim 7, wherein the 
m e thod steps further compri ses : comprise creating a policy referencing the policy 
function and specifying trigger columns that trigger implementing the policy. 
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19. (Currently Amended) The machine-readable medium of claim 1, wherein the 
method steps further compris e s comprise registering athe policy function with a 
database server, wherein the policy function returns a condition expression and the 
modified database command is based on the condition expression. 

20. (Cancelled) 
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